Scratching the Surface of Rhysida Ransomware

This report analyzes an early-stage Rhysida ransomware sample: unpacked MinGW-built binary (~1.2MB) that uses ChaCha20 for file encryption with AES/CHC constructs and RSA-4096-OAEP to encrypt keys, appends the .rhysida extension, drops a PDF ransom note (CriticalBreachDetected.pdf) and exposes a TOR extortion portal (no victims observed). It documents command-line options, self-deletion via PowerShell, files/directories excluded from encryption, and provides file hashes and behavioral details useful for detection and response.